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New variants of the Trinity and Stacheldraht Distributed Denial of Service (DDoS) tools have been found 
in the wild. As was demonstrated in February of this year, DDoS attacks can bring down networks by 
flooding target machines with more traffic than the machines can process. This advisory provides an 
update to previous NIPC DDoS advisories (issued since December 1999) on similar tools such as 
"mstream," "Tribal Flood Network," and "trinoo." The NIPC has recently determined that masters tied to 
zombies have been placed on many users' systems, heightening the possibility of a DDoS attack in the 
future. In addition to large corporate and university systems, affected users also include those with home 
computers having broadband access such as DSL and cable modem. The NIPC recommends that all 
computer network owners and organizations examine their systems for evidence of DDoS tools, including 
Trinity and Stacheldraht. 

The "Trinity v3" Distributed Denial of Service (DDoS) exploit represents a potentially serious and 
continuing threat to networked computers running certain versions of the Linux operating system. Trinity 
v3 is a DDoS tool that is controlled via IRC or ICQ. When a system has been compromised and the Trinity 
v3 tool installed, each compromised machine joins a specified IRC channel and waits for commands. The 
Trinity v3 tool enables intruders to use multiple, Internet-connected systems to launch packet flooding 
denial of service attacks against one or more target systems. At least eight variations of Trinity have been 
found on the Undernet Internet Relay Chat network, each reporting to a different IRC channel. Trinity v3 
responds to commands in IRC channels on lines beginning with "(trinity)," and the "Entitee" version of 
Trinity responds to lines beginning with "(entitee)." 

System administrators should ensure their TCP Port Scanners are configured to scan port 33270 as 
machines found listening at this port may have the Trinity portshell installed. Trinity v3 is difficult to detect 
because the agent does not listen to specific ports to receive commands, but receives them over IRC. 
Watching for suspicious IRC traffic is useful in detecting Trinity v3. It is important to note that if Trinity v3 
is found on a system, the system may have experienced root level compromise. 

Stacheldraht consists of three parts - a master server, a client, and an agent program - and runs on 
Linux and Solaris machines. Stacheldraht performs several types of flooding attacks, and has IRC 
flooding options. The latest Stracheldraht variants, "Stacheldraht 1.666+antigl+yps" and "Stacheldraht 
1.666+smurf+yps" prompt the user for a password when building the binaries. 

The NIPC DDoS detection tool has been modified to detect Trinity v3 and some new variants of 
Stacheldraht. While the tool is designed to detect mutations of these DDoS tools, it may not detect all 
variants of the tools. NIPC will continue to update the detection tool as we receive new DDoS variants. 
Currently, the NIPC tool (find_ddos) detects the DDoS exploit in the following operating systems: Solaris 
on Sparc or Intel platforms, and Linux on Intel platforms. The tool currently detects mstream, tfn2k client, 
tfn2k daemon, trinoo daemon, trinoo master, tfn daemon, tfn client, stacheldraht master, stacheldraht 
client, stachelddraht daemon and tm-rush client. Please refer 
to http://www.nipc.gov/warnings/alerts/1999/trinoo.htm for more information. 

• Readme 

• Solaris on Sparc Executable File (tar, compressed format) version 4.2 

• Linux on Intel Executable File (tar, compressed format) version 4.2 

• Solaris on Intel Executable File (tar, compressed format) version 4.2 

• Checksums (The MD5 Checksums are provided to verify the integrity of the files.) 

Alternatively, specific technical instructions are available from CERT Coordination Center, SANS Institute, 
and other competent sources. CERT/CC, SANS Institute, and the University of Washington have 



published information on distributed denial of service exploits that can be readily found at the following 
web sites: 

http://cert.org/reports/dsit workshop.pdf 

http://www.sans.org/dosstep/index.htm 

http://www.staff.washington.edu/dittrich/misc/ddos/elias.txt 

Please report any illegal or malicious activities to your local FBI office or the NIPC, and to your military or 
civilian computer incident response group, as appropriate. 


